Lecture 11 

Square Roots, Tonelli's Algorithm, Number of Consecutive Pairs of Squares mod p 



Defined the Jacobi Symbol - used to compute Legendre Symbol efficiently 
(quadratic character) 



Eg- 



(1729|223) = (168|223) = (4 • 42|223) = (42|223) 

= (2|223)(21|223) = (21|223) = (223|21) = (13|21) 
= (21|13) = (8|13) = (2|13) = -1 



if p ; 
if p ; 



3 mod 4 
1 mod 4 



(2b) = 



— 1 ifp = ±3 mods 
1 if p = ±1 mod 8 



Lemma 43. Ifp, q, r are distinct odd primes, and q = r mod 4p, then {p\q) — {p\r). 

Proof. We know {q\p) = (r|p) since q = r mod p. Also, q and r are both either 1 
mod 4 or both 3 mod 4. So 

= (rb)(-l)^^ 
= {P\r) 



Eg. Characterize the primes p for which 17 is a square mod p. It's clear that 
17 is square mod 2. We see that since 17 = 1 mod 4, so if = r mod 17 then 

{I7\q) = (17|r). So we only need to look mod 17 to see when (17|g) = ((?|17) = 1. 
Go through mod 17: ±1, ±2, ±4, ±8 mod 17 are nonzero square classes, so 17 
is a square mod qi&q = 2, 17, or ±1, ±2, ±4, ±8 mod 17. 

If we had asked for 19, we need to look at classes mod (4 • 19), since 19 ^ 1 
mod 4. (If g = 1 mod 4 then (19|<7) = (9119), so we need q to be a square mod 
19. If (J = 3 mod 4 then {I9\q) = —(9119), we need q to be not square mod 19) 

Euclidean god Algorithm - Given a, 6 e Z, not both 0, find (a, 6) 
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1. If a, 6 < 0, replace with negative 

2. If a > b, switch a and b 

3. If a = 0, return b 

4. Since a > 0, write b = aq + r with < r < a. Replace (a, 6) with (r, a) and 
go to Step 3. 

Tonelli's Algorithm - To compute square roots mod p (used to solve = a 
mod p). Need a quadratic non-residue mod p, called n. Let g be a primitive root 
mod p. Now let p — 1 = 2^t, for t odd. We know n is a power of g, say n = g^. 

Set c = n* = g*^*. 

Claim: The order of c is exactly 2**. 
Proof. 

^ (5^-1)'= 
= 1 mod p 

So ord(c) has to divide 2*, so it's a power of 2. If we can show that c^' ^ ^ 1 
mod p then order has to be 2*. 

= (^(p-i)/2)fc jnodp 

= (—1)'^ mod p, since g is a primitive root 

Note that k is odd since otherwise n = g'^ would be a quadratic residue, so we 
get c^" = — 1 mod p, proving claim that ord(c) = 2* ■ 

Lemma 44. Ifa,b are coprime to p and have order 2^ mod p (for j > 0) then ab has 
order 2^ for some k < j. 

Proof. Since a?' = 1 mod p, (a^" = 1 mod p, we have a'^^~^ = ±1 mod p. 
So we must have a?'' = — 1 mod p, since ord(a) = 2K Similarly b'^' = — 1 
mod p. Therefore, (a6)^^ = 1 mod p, so order has to divide 2^~^, sok < j. ■ 
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Proof of Tonelli's Algorithm. First check (by repeated squaring) if a'P^^^/^ = 1 
mod p . If not, terminate with "false." So assume now on that a^^"^^/-^ = 1 
mod p. 

Set A = a and 6 = 1. At each step a = Ab'^ {a = Ab"^ mod p) At the end, want 
A = 1, so 6 is square root of a mod p. 

Each step: decrease the power of 2 dividing the order of A. To start with, 

A{p-i)/2 ^ j^r-'t = 1 modp. Checkif = 1 mod p. 

If not, then A"^" ^* = —1 mod p (since {A^' ^*)^ = 1 mod p). So powers of 2 
dividing ord(A) is exactly 2*~^. Same as the power of 2 diving ord (c^) = 2*~^. 
So set A = Ac~'^, b = bc mod p. Notice that 



{Ac-Y 




^ (-1)(-1)* 

= 1 mod p 

ord (Ac~^) divides 2*~^i, so power of 2 dividing the order is at most 2*~^, so 
has decreased by 1. 

If yes, (ie., A^' ^* = 1 mod p), do nothing. 
Next step: check if A^'"'* = A(p-i)/8 = l mod p. 

If no, (ie., ^2°"'* = -1 mod p, set A := Ac''^, b := bc^ (c^ has order 2«-2). 
(Ac-4)2"-'* = 1. 

If yes, do nothing. 

After at most s steps we'll reach the stage when a = Ab'^ mod p and the power 
of 2 dividing ord(A) is 1 - ie., ord{A) is odd. Now we just compute a square 
root of A as follows: ord(>l) odd and divides p—l = 2^t, so divides t. So A* = 1 
mod p {t odd). Claim A(*+i)/2 is a square root of A mod p. 

= A'A 
= 1-A 
= A mod p 

So algorithm just returns 6A(*+^)/2 ^ g 

Eg. If p = 3 mod 4, a is quadratic residue mod p, then a square root of a is 
a(p+i)/4 (square = a^f+^V^ = a^-P-'^y^a = a mod p) 

Efficient poly-log time assxmiing we can find a quadratic non-residue n effi- 
ciently. A random number is quadratic non-residue with probability g so if 
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we run k trials, probability of not getting a quadratic non-residue is | which 
is ^ ii k is log p. So, this is an efficient randomized algorithm. No efficient 
deterministic algorithm has yet been foimd. Simplest is to check all primes, 
expect quadratic non-residue mod p which is less than c(log(p))^ true if 
assume ERH. 

Question: Pairs of squares problem. How many numbers x mod p such that x 

and a; + 1 mod p are both squares mod p? 

Rough heuristic - if x, a; + 1 were independent, roughly | solutions. 

Define (0|p) — 0. Then J2x mod pi^\p) — ^- Also, number of solutions toy"^ = x 
mod p for fixed x is 1 -|- {x\p). Also, if a; ^ then | (1 + (a;|p)) is 1 if x is a square, 
if a; is not a square. 

So, number of x that a;, a; -I- 1 are squares: 




x=0 ^ V/ X mod p 

x=-l xjtO,-l 

Now 

J2 J (1 + {x\p) + + lb) + {X\P){X + l\p)) 

X mod p 
xjtO,-l 
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p-2 
4 4 



J Y,{x + lb) = ^ (^{x + lb) - (lb) - (Ob)^ 



1 
"4 



^ Y,{x\v){x + lb) = J Y.^x\v)-\x + lb) 



1 

"4 



Add them up to get 



p + 2 + (-lb) 



4 

If we want x— 1, a;, a; + 1 to all be squares, much more complicated 
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